[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf.conf question


I have a small question about one of the examples in the pf.conf man page.

From the EXAMPLE section:

 # block and log everything by default
     block             out log on $ext_if           all
     block             in  log on $ext_if           all
     block return-rst  out log on $ext_if proto tcp all
     block return-rst  in  log on $ext_if proto tcp all
     block return-icmp out log on $ext_if proto udp all
     block return-icmp in  log on $ext_if proto udp all

I just want to make sure I am understanding the above correctly.

The first two rules block everything. So why are the next 4 needed?
My assumption is that they are helpful in reading the pflog log output.
(IE you know that it was rule 5 that got blocked)
What are the advantages of logging separately the return-rst and return-icmp?

Visit your host, monkey.org